CVE-2025-15380
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using the NotificationX plugin. When users visit a specially crafted page that auto-submits a form to the vulnerable site, the scripts execute in their browsers. All WordPress sites running NotificationX plugin versions up to 3.2.0 are affected.
💻 Affected Systems
- NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware on visitor devices.
Likely Case
Attackers would typically use this to steal session cookies or redirect users to phishing pages to harvest credentials.
If Mitigated
With proper Content Security Policy headers and input validation, the impact would be limited to script execution within the specific vulnerable page context.
🎯 Exploit Status
Exploitation requires tricking users into visiting a malicious page that auto-submits a form, but the technical complexity of the XSS injection itself is low.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find NotificationX plugin. 4. Click 'Update Now' if available, or manually update to version 3.2.1 or later. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable NotificationX plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate notificationx
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Restrict access to the WordPress admin interface to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for NotificationX version. If version is 3.2.0 or lower, you are vulnerable.Check Version:
wp plugin get notificationx --field=versionVerify Fix Applied:
After updating, verify NotificationX plugin shows version 3.2.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with nx-preview parameter containing script tags
- Multiple failed login attempts following suspicious preview submissions
Network Indicators:
- Outbound connections to suspicious domains following visits to pages with auto-submitting forms
- Unusual traffic patterns to WordPress preview endpoints
SIEM Query:
source="wordpress.log" AND ("nx-preview" AND ("<script>" OR "javascript:" OR "onload=" OR "onerror="))🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail=
- https://research.cleantalk.org/cve-2025-15380/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve
